Malvertising Continues to Pound Legitimate Web Sites

In the last three months of 2010 attackers managed to serve 3 million malicious advertising, or malvertising, impressions every day. That's the headline figure from a report released today from Web security firm Dasient. According to Dasient, that's a 100 percent increase from the preceding quarter.

Part of the increase may be attributed to Dasient increasing the types of ad networks it tracks. In this report, the firm began tracking so-called remnant advertising networks (networks that sell empty advertising slots at the last opportunity) as part of its study. Because these networks aggregate advertisements and charge a low rate, there is less revenue and possibly less vetting of the safety of advertisements, the report stated.

Artwork: Chip Taylor"Reputable ad networks also often syndicate or sub-syndicate unsold ad space to remnant ad networks instead of filling them with house ads. With the addition of more remnant ad networks in our telemetry, we believe that we are more accurately reflecting the current state of malvertsing," the report stated.

Last week the real threat of malvertising shook visitors to the London Stock Exchange's Web site. Visitors to the site were hit with ads crafted to display bogus security alerts.

These malicious ads, designed to sell anti-virus software, somehow infiltrated an ad network that is used by the London Stock Exchange. Robert McMillan has more in his report Malware ads hit London Stock Exchange site.

Because of their ease of execution and effectiveness at reaching a broad audience, these attacks aren't expected to stop soon. In fact, according to Elad Sharf, researcher with Websense Security Labs, they're always striving to become even stealthier. With every new cyber attack, criminals custom build malware variants - the malware file goes through extra processing with the aid of tools that are part of the cyber criminal toolkit like packers, obfuscators and encryptors. Because this is custom made and new, the Antivirus detection is very low as would be expected on a new variant, so it can actually run on the user machine if an exploit is successful. Detection rate at the time of the attack is 11 percent according to Virustotal," he said.

The London Stock Exchange attack also points to another troubling trend in malicious advertising attacks: rather than infiltrate them, criminals are simply buying the ad space needed to propagate their attacks. "We have been following the exploit domains in this malvertising campaign for quite a long time now, and it seems that cyber criminals frequently use fee-based advertising networks to propagate malware - that means cyber criminals are willing to pay in order to propagate malware," Sharf said.

George V. Hulme writes about security and technology from his home in Minneapolis. When he's not clicking on online ads, he can be found on Twitter as @georgevhulme.